Digital Lifestyle

Digital Lifestyle

Cisco OfficeExtend – Always Connected

Over the past few weeks I’ve received a few tweet’s asking if anyone has setup Cisco’s OfficeExtend solution and what were some of the gotchas that you ran into. After this last round I decided I might as well blog about it, so here goes!

What is it?

The Cisco OfficeExtend solution does as its name implies, it “extends” your wireless network to a remote home office for example. For a few years now we have had HREAP mode APs that allow us to use LWAPP/CAPWAP APs over a WAN link with higher latencies for a remote small office, now we have the ability to bring this home as well.

What do I need?

Hopefully if you are reading this you have some experience in Wireless network from an Enterprise class so I won’t go over every little detail. Basically OfficeExtend requires an internal Cisco AIR-5508 Wireless LAN Controller. Per best practices and proper security a 2nd AIR-5508 is required as well. This 2nd WLC is placed into your DMZ and has a NAT address assigned to it with ports UDP 5246 and 5247 open to it from the big bad Internet. If you work with Cisco WLC’s you’ll notice that this sounds awfully familiar, say maybe from a Guest anchor deployment? (Makes that anchor controller seem a little better now doesn’t it!) Instead of anchoring a WLAN from the internal to the DMZ we do the reverse, we set the internal WLC the anchor for the DMZ. The end user then needs a Cisco 1131 or 1142 CAPWAP AP running 6.0 code or newer.

What does it do for me?

Here comes the best part, you prep the AP with the public address set on the WLC and bring the AP home or to a hotel etc. Once the AP comes online here comes your corporate networks with all of their security requirements, no need for VPN! Each of the WLANs that you set on the DMZ WLC with the internal WLC as their anchor will be available for you to use. For example, at my work we push down our internal Data, Voice, and also Guest networks to employees homes. When I leave my office with my Cisco 7925 wireless phone in my bag the minute I pull in the garage it connects back up and I can make/receive calls.

What’s the catch?

As with everything there are some caveats when setting this up. If you look at the diagram you can see the list of ports that are needed to be opened between the Firewalls. One thing you might notice right away is that I have to open up UDP 1812/1813 commonly used for Radius to my internal network, why is that you ask? Well unlike the Guest anchor solution where the user is authenticated on the anchor WLC with an OfficeExtend solution you are authenticated before you hit the anchor controller. So anything authentication methods that require EAP types will require you to grant access to your ACS or Radius server from the DMZ. Secondly if you have worked with Cisco WLCs you know that to do this the AP needs to be HREAP and then have the OfficeExtend box checked. Putting an AP into HREAP mode is easy, the hard part is getting it to join the public IP address. A process that works for me is converting it to HREAP mode, then allowing it to come back up after downloading the new code. Once the AP returns I check the box for OfficeConnect. After this is done I change the primary controller name to my DMZ WLC and set the IP to the public IP. Here’s the tricky part, luckily I have a DSL line at work which I can hook the AP up to and test the connection back to the DMZ network via the public IP.

So there you have it, Cisco OfficeExtend in a nutshell. Ever since deploying the solution I have not had a need to use VPN at home, what’s even more great is the fact that whenever IT pushes out a Kasperksy update that makes VPN no longer work I still have remote access!

Your article helped clear up the firewall rules etc that I found lacking in the official docs – thanks! I’m still having some trouble at the final configuring of the AP (after you convert it to OEAP mode) – I can see udp/5246 come in from the internet but the controller doesnt see the AP… anyway if you could drop me a line I’d appreciate it. Thanks again Blake.

I would like to also offer my experience with setting this up. I chose to poke holes in the firewall and expose my WLC on the required ports and configure a static NAT. I then ran into an issue with the controller responding to the APs request with the private IP and not the public IP. I had to paste this to the WLC: config network ap-discovery nat-ip-only disable
This allows the WLC to respond to my internal APs with the internal IP and on the external IP to the OEAPs.

Then I configured, under the management interface, the NAT with the public IP. Once I did this, the AP joined the WLC and I was able to connect to all ssid’s.

The issue I’m now seeing and need to resolve still is I don’t have access to the corporate network resources that I should have access to. I can access the internet and I can configure my private ssid. I must be missing something, just haven’t found what it is.

This is a great article. I wish I found it two months ago before we started testing remote APs. We ran into the same issues with the 7925 phones. The 600s don’t do well with them but the 1142s have no issues. Now we are trying to get a IP phone working remotely via the remote vlan. I am glad he covered that in his May issue. One other thing, the higher the bandwidth at home the better the experience.